Multiple vulnerabilities in Dell Wyse
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-12351 CVE-2020-12352 |
| CWE-ID | CWE-20 CWE-284 |
| Exploitation vector | Local network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
Wyse 5470 Hardware solutions / Firmware Dell Wyse 3040 Hardware solutions / Firmware Wyse 5070 Hardware solutions / Firmware |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU47545
Risk: Medium
CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-12351
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within the BlueZ implementation in Linux kernel. A remote attacker on the local network can pass specially crafted input to the application and execute arbitrary code on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsWyse 5470: before 2.2 MR4
Dell Wyse 3040: before 2.2 MR4
Wyse 5070: before 2.2 MR4
CPE2.3- cpe:2.3:h:dell:wyse_5470:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:dell_wyse_3040:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:wyse_5070:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/en-us/000181614/dsa-2021-002
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Improper access control
EUVDB-ID: #VU47546
Risk: Medium
CVSSv4.0: 5.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-12352
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in BlueZ implementation in Linux kernel. A remote attacker on the local network can pass specially crafted input to the application and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsWyse 5470: before 2.2 MR4
Dell Wyse 3040: before 2.2 MR4
Wyse 5070: before 2.2 MR4
CPE2.3- cpe:2.3:h:dell:wyse_5470:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:dell_wyse_3040:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:wyse_5070:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/en-us/000181614/dsa-2021-002
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
